[Mailman-Users] Edit options security flaw

[Mark Sapiro]

Tokio Kikuchi wrote:

>Marius Amado Alves wrote:
>
>> Sometimes version 2.1.5 lets a user A edit the options of another user B 
>> as follows.
>> 
>> User A consults the member list (using his name and password normally). 
>> Here A picks an email address of user B. User A returns to the main 
>> page, enters address of B in the Edit options slot and presses Edit 
>> options. Normally Mailman requires a password, but sometimes IT DOES NOT 
>> and goes straight to the editable options list page.
>> 
>> I'd like to know if somebody else has experienced this behavior.
>
>Isn't the user A also the owner of the list ?
>If he have logged in at the admin page and go to options page of any 
>member of the list, then the password input is passed. Go to the admin 
>page and click the Logout link. Then try again for user B.

As Tokio points out, if user A logged in with the list password rather
than user A's personal password, this explains the behavior and is not
a problem since someone who knows the list password is allowed to
visit any options page.

Even if user A provided her/his personal password when visiting the
roster, if he/she had previously logged in with the list password
during that session and not logged out, the list admin login cookie
will still be in the browser enabling visits to other users options
without their passwords.

Other than this, I am unable to duplicate this problem in any way that
might be a security breach. I have tried both the scenario that Marius
gives and also, just clicking user B's address in the roster which is
processed the same way. The only times I can successfuly reach user
B's options page without a password are those times when I have
previously logged in with the list password and not logged out or
closed the browser in between.

--
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan